A private web server must utilize TLS v 1.0 or greater.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2262 | WG340 IIS7 | SV-32334r2_rule | ECSC-1 | Medium |
| Description |
|---|
| TLS encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring its confidentiality. If private information is not encrypted, it could be intercepted and easily read by an unauthorized party. |
| STIG | Date |
|---|---|
| IIS 7.0 WEB SITE STIG | 2014-01-09 |
Details
| Check Text ( C-32740r3_chk ) |
|---|
| 1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Icon. 4. Ensure Require SSL and Require SSL 128-Bit are checked. Note: If the Require SSL 128-Bit setting is not visible, the setting can be viewed by clicking the site under review and then opening the Configuration Editor. Switch to the section, the dropdown at the top of the configuration editor, system.webServer/security/access. The value for sslFlags should be ssl128. If not, this is a finding. |
| Fix Text (F-29067r3_fix) |
|---|
| 1. Open the IIS Manager. 2. Click the site name under review. 3. Double click the SSL Icon. 4. Click the Require SSL and Require SSL 128-Bit check boxes. Note: If the Require SSL 128-Bit setting is not visible, the setting can be set by clicking the site node and then opening the Configuration Editor. Switch to the section, the dropdown at the top of the configuration editor, system.webServer/security/access. Click the value beside the sslFlags and select ssl128 in the dropdown list. |